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DETAILED ACTION 

1 . This action is in response to the Request for Continuation (RCE) filed on June 
22, 2005. Claims 1 and 18 are currently amended. Claims 1,3,4,6-18, 20-21, and 23- 
34 are currently being considered. 

Response to Arguments 

2. Applicant's arguments filed on June 22, 2005 have been fully considered but they 
are not persuasive because: 

Regarding amended claim 1, the applicant argues that the CPA, Bendinelli et al. 
(US Patent Pub. No. 2002/0029276), does not teach the newly amended limitation 
defining the heuristic methodology as "a methodology in which the NAT translates a 
private address of the first endpoint to a global address and then attempts to forward to 
the first endpoint packets sent by the second endpoint to the global address which 
global address is not uniquely associated with the first endpoint and where such 
attempts may fail due to collisions and/or race conditions." It appears to the examiner 
that the heuristic method, as described, is performing network address translation 
(NAT), which is well-known in the art as mapping a internal address (first endpoint 
address) to a external address (global address) which is used for saving address IPv4 
address space, for security purposes (the local address is hidden), and allows 
companies to use internal addresses that will not conflict with external addresses. 
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Therefore, the rejection is maintained as in the previous Office action and applied to the 
new limitations, as it is asserted that the CPA does teach this heuristic methodology, as 
it discloses that IP Masquerade will be facilitated for use with NAT, after disclosing an 
environment using VPN IPSec (paragraph 141, lines 5-17). 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

3. Claims 1 and 18 are rejected under 35 U.S.C. 103(a) as being anticipated by 
Bendinelli et al. (U.S. Patent Publication No. 2002/0029276) in view of Rabenko et al. 
(U.S. Patent No. 6,765,913). 

With respect to claims 1 and 18, Bendinelli et al. disclose a method in program code 
used with a computer readable media (paragraphs 0019 and 0020) comprising: 
After a secure tunnel 

(In paragraph 0180 line 12, Bendinelli discloses that the tunnel uses the IPSEC security 
protocol, meaning that the tunnel is secure.) 

has been created between a first endpoint and a second endpoint on a packet network 
(In paragraph 0138, Bendinelli discloses that after the tunnels are created, encryption 
algorithms and authentication algorithms are negotiated. In paragraph 0245, Bendinelli 
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then discloses that one of these algorithms is SSL.) 

which tunnel traverses at least one network address translator (NAT) that implements a 
heuristic methodology in translating addresses and/or port numbers, where the heuristic 
methodology is a methodology in which the NAT translates a private address of the first 
endpoint to a global address and then attempts to forward to the first endpoint packets 
sent by the second endpoint to the global address which global address is not uniquely 
associated with the first endpoint and where such attempts may fail due to collisions 
and/or race conditions 

(paragraph 0141, lines 5- 13; In the third paragraph of the Linux VPN Masquerade 
website admitted as prior art by applicant, it states that VPN Masquerade is a part of IP 
Masquerade which enables to use IPSec-based VPN clients. In paragraph 0141, lines 
14-17, Bendinelli discloses that IP Masquerade will be facilitated for use with NAT, after 
disclosing an environment using VPN and IPSec), 

and which tunnel is operating under a secure protocol that is independent of whatever 
applications are running on the first and second endpoints 

(In paragraph 0180 line 12, Bendinelli discloses that the tunnel uses the IPSEC security 
protocol.) 

and before one or more packets containing application data are sent between the first 
and second endpoints, sending a control packet from the first endpoint of the tunnel 
through the tunnel to the second endpoint of the tunnel; and 

Waiting at the first endpoint for a responsive control packet through the tunnel 
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from the second endpoint before sending packets containing application data through 
the tunnel. 

(Bendinelli discloses that his method utilizes the SSL (Secure Sockets Layer) protocol 
handshake (Paragraph 0245, line 7) in which the client sends a control message to the 
sender and after receiving the message the server responds. This send and response 
of control packets continue in a specific manner as detailed in the SSL Version 3 
specification and then the client and server have completed the handshake and may 
send data packets. An overview of the handshake protocol can be found in Section 5.5.) 

Bendinelli does not explicitly disclose eliminating race conditions and collisions or 
providing automatic recovery from them. 

Rabenko et al. further disclose the method or automatic recovery (column 9, line 
6-8) wherein the first endpoint sends through the tunnel to the second endpoint a 
predetermined maximum number of control packets without receiving any packets 
through the tunnel then the first endpoint establishes a new tunnel to the second 
endpoint. Rabenko et al. additionally further disclose the method wherein if an endpoint 
is unable to complete the establishment of a new tunnel before a predetermined 
time limit then that endpoint abandons establishment of that tunnel and starts 
establishing a new tunnel (column 97, lines 19-37). It would have been obvious to one 
of ordinary skill in the art at the time of the invention to combine the recovery methods 
of Rabenko et al. with the system of Bendinelli in order to provide automatic recovery 
from a NAT crash or race conditions, as described in applicant's specification. 
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6. With respect to claims 3, and 20, Bendinelli et al. disclose further the method in 
program code used with a computer readable media (paragraphs 0019 and 0020) 
wherein the tunnel is a secure tunnel and uses the IPSec security protocol suite. (In 
paragraph 0180 line 12, Bendinelli discloses that the tunnel uses the IPSec security 
protocol, meaning that the tunnel is secure). 

7. With respect to claims 4 and 21 , Bendinelli et al. disclose further the method in 
program code used with a computer readable media (paragraph 0019 and 0020) 
wherein the tunnel use ESP in tunnel mode (In paragraph 0349, Bendinelli discloses the 
format of the IPSec packet and header. The description given matches with the ESP 
tunnel mode implementation of the IPSec security protocol suite as disclosed in Section 
3.1 of RFC 2406 of the IETF, in which when ESP is employed, protection is offered only 
to the inner header, not to the IP packet's outer header and other layers as in AH). 

8. With respect to claims 6 and 23, Bendinelli et al. disclose further the method in 
wherein the first endpoint is a client and the second endpoint is a server (paragraph 
123). 

9. With respect to claims 7 and 24, Bendinelli et al. further disclose the method in 
program code used with a computer readable media (paragraphs 0019 and 0020) 



Application/Control Number: 09/902,520 Page 7 

Art Unit: 2131 

wherein the NAT implements VPN masquerade (In the third paragraph of the Linux VPN 
Masquerade website admitted as prior art by applicant, it states that VPN Masquerade 
is a part of IP Masquerade which enables to use IPSec-based VPN clients. In 
paragraph 0141, lines 14-17, Bendinelli discloses that IP Masquerade will be facilitated 
for use with NAT, after disclosing an environment using VPN and IPSec). 

10. With respect to claims 8 and 25, Bendinelli et al. disclose a method in which 
program code used with a computer readable media (paragraphs 0019 and 0020) 
comprising: 

sending a control packet from a first endpoint of a tunnel through the tunnel to a second 
endpoint of the tunnel (paragraphs 0389, lines 7-9) and waiting at the first endpoint for a 
responsive control packet through the tunnel from the second endpoint (paragraph 
0389, lines 9-10) before sending packets other than a control packet through the tunnel 
(paragraphs 0389, lines 18-20). Bendinelli further discloses that the control packets 
being sent through the tunnel are ICMP packets (paragraph 0389, lines 7-9). 

1 1 . With respect to claims 9, 10, 26 and 27, Bendinelli et al. further disclose the 
method in program code used with a computer readable media (paragraphs 0019 
and 0020) wherein the tunnel is defined by an epoch, the epoch comprising one 
security association (SA) in each direction, each SA having a negotiated limited 
lifetime, wherein before the end of the tunnel's lifetime the endpoints establish a 
new tunnel between them, and defining the use of the ESP protocol in tunnel 
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mode with negotiated authentication and/or encryption keys and with a security 
parameters index (SPI) chosen by the SA's destination. 
(It is inherent in the usage of IPSEC and ESP in tunnel-mode in claims 3 and 4 
that security associations must also be used (RFC 2401 from the IETF, Section 
4). By using the tunnel to communicate from and to the gateway, it is inherent 
that security associations were established in both directions (RFC 2401 from the 
IETF, Section 4.1, lines 6-8). It is also inherent in a security association to have 
negotiated authentication and/or encryption keys (RFC 2461 from the IETF, page 
21 , bullet 5) with a security parameters index SPI (RFC 2401 from the IETF, 
Section 5.2, paragraph 2, lines 1-2) chosen by the destination (RFC 2401 from 
the IETF, Section 4.7, lines 1-3). Additionally, it is inherent in a security 
association utilizing ESP to have a negotiated limited lifetime wherein before the 
end of the tunnel's lifetime, the security association is rekeyed with a new SPI 
and the endpoints have in essence established a new tunnel (RFC 2401 from the 
IETF, page 21 , bullet 7, explanation of lifetimes). 

12. Claims 11-12, 14, 15,28-29,31 and 32 are rejected under 35 U.S. C. 103(a) as 
being unpatentable over Bendinelli et al. (U.S. Publication 2002/0029276) as applied to 
claims 1-4 and 18-21 above, and further in view of Rabenko et al. (U.S. Patent No. 
6,765,913). 

13. Bendinelli et al. disclose the limitations set forth in claims 1-4 and 18-21, 
upon which claims 1 1-12, 14-15, 28-29, 31, and 32 are dependent. However, 
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Bendinelli et al. do not disclose the limitations set forth in claims 11-12 (or the 
corresponding claims 26-29). 

Bendinelli et al. further do not disclose the limitations set forth in claims 14 and 15 (or 
corresponding claims 31 and 32). 

Rabenko et al. disclose the limitations set forth in claims 1 1-12, 14-15, 28-29, 31, 
and 32. 

14. Both Bendinelli et al. and Rabenko et al. are analogous art because both are 
in the field of secure data communications networks. 

15. With respect to claim 1 1 and 28, Rabenko et al. further disclose the method 
in a computer readable medium (column 9, lines 6-8) wherein a designated 
endpoint has responsibility for establishing the new tunnel and ignores requests 
initiated by the other endpoint to establish the tunnel (column 19, lines 37-41 , 44- 
48). 

16. With respect to claim 12 and 29, Rabenko et al. further disclose the method 
in a computer readable medium (column 9, lines 6-8) wherein the second endpoint 
waits for a packet from the first endpoint through the tunnel before using the 
tunnel to send any packets (column 97, lines 16-19). 



17. 



It would have been obvious to one of ordinary skill in the ad at the time of the 
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invention to combine these teachings of Rabenko et al. with the method of 
Bendinelli et al. in order to reduce the possibility of race conditions, as described 
in applicant's specification. 

18. With respect to claims 14, 15, 31, and 32, Rabenko et al. further disclose the 
method in a computer readable medium (column 9, lines 6-8) wherein the first 
endpoint sends through the tunnel to the second endpoint a predetermined 
maximum number of control packets without receiving any packets through the 
tunnel then the first endpoint establishes a new tunnel to the second endpoint. 
Rabenko et al. additionally further disclose the method wherein if an endpoint is 
unable to complete the establishment of a new tunnel before a predetermined 
time limit then that endpoint abandons establishment of that tunnel and starts 
establishing a new tunnel (column 97, lines 19-37). 

19. It would have been obvious to one of ordinary skill in the art at the time of the 
invention to combine the recovery methods of Rabenko et al. with the system of 
Bendinelli in order to provide automatic recovery from a NAT crash or race conditions, 
as described in applicant's specification. 

20. Claims 13 and 30 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Bendinelli et al. (U. S. Publication 2002/0029276) as applied to claims 1 and 18 
above, and further in view of Capurka et al. (U. S. Patent 6,678,258). 
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21 . Bendinelli et al. and Capurka et al. are analogous art because both deal with the 
field of packet data communication systems. 

22. With respect to claims 13 and 30, Bendinelli et al. did not disclose the method in 
computer readable medium wherein if the first endpoint does not receive any packets 
through the tunnel for a predetermined time interval then the first endpoint sends 
through the tunnel a control packet to the second endpoint. 

Capurka et al. further disclose the method in computer readable medium (column 3, 
lines 48-53) wherein if the first endpoint does not receive any packets through the 
tunnel for a predetermined time interval then the first endpoint sends through the tunnel 
a control packet to the second endpoint (column 2, lines 65-67 to column 3, line 1). 

23. It would have been obvious to one of ordinary skill in the art at the time of the 
invention to combine the method of Bendinelli et al. with the method of Capurka et al. in 
order to provide a more inexpensive and efficient recovery method (column 1 , lines 49- 
52). 

24. Claims 11-12, 14, 15, 28-29, 31 and 32 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Bendinelli et al. (U.S. Publication 2002/0029276) as applied to 
claims 1-4 and 18-21 above, and further in view of Rabenko et al. (U.S. Patent No. 
6,765,913). 
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25. Bendinelli et al. disclose the limitations set forth in claims 1 -4 and 1 8-21 , 
upon which claims 1 1-1 2 t 14-15, 28-29, 31, and 32 are dependent. However, 
Bendinelli et al. do not disclose the limitations set forth in claims 11-12 (or the 
corresponding claims 26-29). 

Bendinelli et al. further do not disclose the limitations set forth in claims 14 and 15 (or 
corresponding claims 31 and 32). 

Rabenko et al. disclose the limitations set forth in claims 1 1-12, 14-15, 28-29, 31, 
and 32. 

26. Both Bendinelli et al. and Rabenko et al. are analogous art because both are 
in the field of secure data communications networks. 

27. With respect to claim 1 1 and 28, Rabenko et al. further disclose the method 
in a computer readable medium (column 9, lines 6-8) wherein a designated 
endpoint has responsibility for establishing the new tunnel and ignores requests 
initiated by the other endpoint to establish the tunnel (column 19, lines 37-41 , 44- 
48). 

28. With respect to claim 12 and 29, Rabenko et al. further disclose the method 
in a computer readable medium (column 9, lines 6-8) wherein the second endpoint 
waits for a packet from the first endpoint through the tunnel before using the 
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tunnel to send any packets (column 97, lines 16-19). 

29. It would have been obvious to one of ordinary skill in the ad at the time of the 
invention to combine these teachings of Rabenko et al. with the method of 
Bendinelli et al. in order to reduce the possibility of race conditions, as described 

in applicant's specification. 

30. With respect to claims 14, 1 5, 31 , and 32, Rabenko et al. further disclose the 
method in a computer readable medium (column 9, line 6-8) wherein the first 
endpoint sends through the tunnel to the second endpoint a predetermined 
maximum number of control packets without receiving any packets through the 
tunnel then the first endpoint establishes a new tunnel to the second endpoint. 
Rabenko et al. additionally further disclose the method wherein if an endpoint is 
unable to complete the establishment of a new tunnel before a predetermined 
time limit then that endpoint abandons establishment of that tunnel and starts 
establishing a new tunnel (column 97, lines 19-37). 

31 . It would have been obvious to one of ordinary skill in the art at the time of the 
invention to combine the recovery methods of Rabenko et al. with the system of 
Bendinelli in order to provide automatic recovery from a NAT crash or race conditions, 
as described in applicant's specification. 
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32. Claims 16,17,33, and 34 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Bendinelli et al. (U.S. Patent Publication No. 2002/0029276) in view 
of Rabenko et al. (U.S. Patent No. 6,765,931) as applied to claims 1-3,9- 
10,15,18,20,26,27, and 32 above, and further in view of Ogier et al. (U.S. Patent 
Publication No. 2003/0179742). 

33. With respect to claims 16, 17, 33, and 34, Ogier et al. further disclose the 
method in a computer readable medium (The method is implemented in the 
internetworking system which is made up of subnets (paragraph 0053, lines 1-2), 
which are in turn made up of nodes (paragraph 0055, lines 6-10). Nodes, as 
disclosed by Ogier et al. in paragraph 0384, are a computer readable medium.) 
wherein if an endpoint successively fails to establish a new tunnel before a 
predetermined maximum number of times then that endpoint closes the 
connection currently being used to establish tunnels with the other endpoint and 
opens another such connection (paragraph 0361 , lines 1-12) wherein the 
connection is an IKE session (Bendinelli: paragraph 0187, lines 4-6), paragraph 
0188, lines 6-9). 

34. Bendinelli et al., Rabenko et al. and Ogier et al. are all analogous ad 
because all deal with the field of secure data communications networks. It would 
have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the method of Ogier et al. with the combined system of Bendinelli et al. 
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and Rabenko et al. in order to provide fail-over recovery from a crash of the NAT. 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Kaveh Abrishamkar whose telephone number is 571- 
272-3786. The examiner can normally be reached on Monday thru Friday 8-5. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for 
the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



Conclusion 



I AYAZ SHEIKH 
SUPERVISORY PATENT EXAMINER 

T *r,K'*iCL0GY CENTER 2100 




KA 

08/23/05 



